Security SafeguardsBy Baselinemag | Posted 2008-04-30 Email Print
Virtualization technology can deliver cost savings and improve IT performance, but it also introduces new security concerns. In this summary of a Burton Group report, security expert Pete Lindstrom examines the security considerations unique to virtualized IT environments.
Security teams should take a number of steps to ensure the improved protection of virtual environments, including:
Use all existing security mechanisms. Since one of the primary goals of virtualization is transparency, all current host-based solutions should operate in exactly the same way, with limited need for modifications. Existing solutions may not be optimal, but they’ll provide reasonable security.
Get your administrative act together. The dynamic nature of the VM lifecycle and the potential for VM sprawl hint at an even more difficult asset-management environment in the virtual world. It is prudent to ensure that administrative procedures are ready for identifying and tracking VMs throughout the environment.
Look for ways to move security of of the VM. Enterprises can reduce or eradicate agents from VMs and create separate process spaces for user activities and security functions.
Manage virtual machines like files and systems. The portability of VMs makes them vulnerable to file-style attacks, so they must be protected in a similar fashion. The goal of file-oriented management is recognizing the file objects and providing cryptographic and access-control protection for them.
Encrypt network traffic where possible. Encrypted communications provide some protection against local sniffing threats that may come from other VMs or the hypervisor.
Practice segregation of functions. Because multiple VMs can be run on the same machine, it may be possible to create separate compartments for security components. Strong candidates for segregation include logging events externally, maintaining separate keys for encryption, and separating policy and configuration from the image.
Pete Lindstrom, a senior analyst at the Burton Group, specializes in security metrics, risk management, Web 2.0/SOA/Web services security and securing new technologies.